2019-04-30 | Millionaires and merit scholars, Bug bounty tips, and CI Knew there would be bugs here

Tuesday, April 30

TOP STORY

• Millions of IoT devices vulnerable to eavesdropping, credential theft, remote compromises reports Krebs. The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology.

TWEET OF THE DAY

• Here’s how secure your location data is: Using a burner gmail address and zero verifying info, we got it. No federal law restricts the trade. This isn’t about privacy. It’s about security. - @tonydokoupil

OTHER ARTICLES WE’RE READING

• Cyber Coalition paper on VDP, emphasis on US. “CVD should be a standard component of public & private sector security programs, but not a replacement for other defenses.” Rapid7 policy director has some notes in a twitter thread.

• I C what you did there…  “CI Knew There Would Be Bugs Here” Exploring Continuous Integration Services as a Bug Bounty Hunter by @Rhynorater, @hacker_, and @EdOverflow. Relaed: Streaak published Keyhacks tool on GH.

• 190K Docker hubs compromised, see thread on Hacker News for more.

• Millionaires and merit scholars: The Hustle covers @try_to_hack, @cablej, CyFi, and more

• @jmalika and @TomNomNom on #bugbounty tips on proving XSS impact.

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
 

CVSS has very little context about the boutique risks of our environment and can’t reach that far into communicating them.

Ryan Magoo